Do a quick check to make sure one of the required $_POST
payment variables is present and not empty.
So at the top of your file
if(!empty($_POST['paymentinfovariable'])) {
// put all your current code here
// that way POST info is only processed, and email is only sent,
// if your required variable has been properly POSTed.
} else {
// redirect to the homepage
wp_redirect( home_url() );
exit;
}
This way if the required post variable is missing – meaning someone is just visiting the URL – they’ll get redirected to the homepage and no email will be sent. You could go a step farther and check that a POSTed variable has the correct format, comes from the correct referring domain, etc. to further protect your security.
You should probably also look into your sitemaps – there’s a reason people (or bots) are hitting this page, and it could be as simple as setting your sitemap to meta noindex with whatever SEO plugin you are using.